NetWitness Community

Hi, RSA support team.

I tried to extract data on "meta data" tab(I'm not sure exactly tab name) with process_id, event.cat.name, process, event_time, h_code, account_id, hostname, event_description and so on.

But on "meta data" tab, it was shown part of things i had extracted.

Could you please explain how to make showing on meta data tab?

PS. If window snare logs are provided by RSA as supported sources, could you provide the xml file?

Thanks in advance.

Best regards.

Seungho Lee

Sopra Steria

3 Fusionopolis Way, Symbiosis #12-27

138633 Singapore - Singapore

Phone: +65 7571 5999 - Mobile: +65 8287 7662

seungho.lee@soprasteria.com<mailto:oliver.chung@soprasteria.com> - www.soprasteria.sg<http://www.soprasteria.sg/>

The content of this message may be confidential, legally privileged and protected by law. Unauthorized use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient please notify the sender and remove it from your system. While attachments to this e-mail are checked for viruses, we do not accept any liability for any damage sustained by viruses.

Before printing, think about the environment.

make sure you have deployed the most current parser for your event source (what is the source system that you are attempting to log)

https://community.rsa.com/community/products/netwitness/parser-network/event-sources 

event sources are listed here, if its windows, how are you collecting (snare agent, wmi, nxlog ...)

make sure the parser is subscribed and deployed to your log decoders

what is the outcome of the log parsing?

• event.type is wrong for the device.ip?
• word meta generated?
• parse.error messages?

provide screenshots of where you thing the error is as well as what you expect the outcome should be.

not enough information shared in the post to get any sense of what could be the issue.

please review the details and provide the information to enable us to assist you as best we can.

Hi,

We are collecting window logs via snare agent.

Could you please provide XML file of this?

I have to extract(for display in "View Meta" tab of RSA SIEM) all part of window logs as customer's request.

So I tried to extract with process_id, event.cat.name, process, event_time, h_code, account_id, hostname, event_description and so on as provided by RSA.

But on "View Meta" tab, only some of things i extracted are shown.

How to make all of them shown on "View Meta" tab?

Thanks.

Best regards.

Seungho Lee

It sounds like you have enabled the winevent_snare parser.

Many of the meta you describe are disabled in the table-map.xml file

Have you tried enabling them to see the result?

Hi,

No, I didn't enable winevent_snare parser.

I just made as new for winevent_snare parser.

Could you please provide XML file of this?

Can I enable of all meta in the table-map.xml file?

It could be impact for performance of RSA?

Could you teach me how to enable simply?

Many thanks.

Best regards.

Seungho Lee

Sopra Steria

3 Fusionopolis Way, Symbiosis #12-27

138633 Singapore - Singapore

Phone: +65 7571 5999 - Mobile: +65 8287 7662

seungho.lee@soprasteria.com<mailto:oliver.chung@soprasteria.com> - www.soprasteria.sg<http://www.soprasteria.sg/>

The content of this message may be confidential, legally privileged and protected by law. Unauthorized use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient please notify the sender and remove it from your system. While attachments to this e-mail are checked for viruses, we do not accept any liability for any damage sustained by viruses.

Before printing, think about the environment.

You need to download the winevent_snare parser from Live.

You can copy everything from the table-map.xml file and paste it in the table-map-custom.xml and then change all the flags=Transient to Flags=None

Once you do that reload the parsers and you will see a ton of new meta keys when you view the meta in the events tab. From there you can pick and choose what you would like to Index.

The impact to the system will be about a 15-20% high consumption of storage on the concentrator

Hi Dave.

Thanks for the reply.

I want to know 2 things more..

1. Can I know how to download the winevent_snare parser from Live?

2. And I want to do parser like this below for example

log -> a b c d e f g

message id(msg.id) -> b_d_e

Could you please teach me how to do like this combine at message id?